GDPR Compliance Software Is Not a Cookie Banner
The General Data Protection Regulation has been in force since May 2018. In those eight years, it has produced over four billion euros in fines, an entire cottage industry of consent pop-ups, and a widespread organizational belief that installing a cookie banner constitutes a privacy program.
It does not.
GDPR compliance software exists to help organizations meet the full scope of the regulation — data mapping, subject access requests, breach notification, data protection impact assessments, consent management, and the governance framework that holds it all together. The problem is that most tools marketed as "GDPR solutions" address exactly one of those requirements, leaving the other six to spreadsheets and optimism.
This guide covers what the regulation actually requires from a software perspective, how to evaluate tools that claim to solve it, and why the gap between "having a GDPR tool" and "being GDPR compliant" is wider than most organizations realize.
What the GDPR Actually Requires (A Software Perspective)
The regulation contains 99 articles. Not all of them translate into software requirements, but a surprising number do. Here are the core obligations that GDPR compliance software should address:
| GDPR Requirement | Relevant Articles | What Software Should Do |
|---|---|---|
| Lawful basis documentation | Art. 6, 9 | Record and manage the lawful basis for every processing activity |
| Data mapping / RoPA | Art. 30 | Maintain records of processing activities across all systems |
| Consent management | Art. 7, 8 | Collect, store, and prove granular consent with withdrawal capability |
| Data subject rights (DSARs) | Art. 15-22 | Automate access, rectification, erasure, portability, and objection requests |
| Breach notification | Art. 33, 34 | Track incidents with 72-hour supervisory authority notification workflow |
| DPIAs | Art. 35 | Conduct and document data protection impact assessments for high-risk processing |
| Data transfers | Art. 44-49 | Track cross-border data flows and document transfer mechanisms (SCCs, adequacy) |
| Vendor management | Art. 28 | Manage processor agreements and sub-processor oversight |
| Privacy by design | Art. 25 | Embed data protection into systems and processes from the start |
| DPO management | Art. 37-39 | Support the Data Protection Officer's oversight and reporting functions |
If your current "GDPR tool" only handles one row in that table, you do not have GDPR compliance software. You have a feature.
The Five Categories of GDPR Tools
The market for GDPR compliance software has fragmented into five distinct categories, each solving a different slice of the problem. Understanding which category a tool belongs to prevents the common mistake of buying a consent platform and calling it a compliance program.
1. Consent Management Platforms (CMPs)
Tools like Cookiebot, OneTrust CMP, and Usercentrics. They manage cookie consent banners, preference centers, and consent records. Essential — but they address Articles 7 and 8 while leaving Articles 6, 15-22, 25, 28, 30, 33-35, and 44-49 entirely untouched.
2. Data Mapping and Discovery
Tools that scan your infrastructure to identify where personal data lives. BigID, Securiti, and OneTrust's data discovery module fall here. They address Article 30 (Records of Processing Activities) and support DPIAs under Article 35.
3. DSAR Automation
Platforms that handle data subject access requests — intake, identity verification, data retrieval, and response. DataGrail, Mine PrivacyOps, and Transcend specialize here. They address Articles 15 through 22.
4. Privacy Management Suites
Comprehensive platforms that attempt to cover multiple GDPR requirements in one product. OneTrust (full suite), TrustArc, and Securiti fall into this category. They offer breadth, though depth in any single area can vary.
5. Statement-Based Governance Platforms
A newer approach that organizes GDPR compliance around atomic governance statements rather than monolithic documents or single-function tools. Each GDPR requirement becomes a discrete, versionable, testable unit of governance intent — with maturity levels, ownership, and comprehension verification.
This is the approach Dictiva takes. More on this in a moment.
How to Evaluate GDPR Compliance Software
Not all organizations need the same thing. A 50-person SaaS startup processing EU customer data has different requirements than a multinational bank with a 20-person privacy team. Here is a practical framework for evaluation:
Evaluation Criteria Matrix
| Criterion | Questions to Ask | Weight (Startup) | Weight (Enterprise) |
|---|---|---|---|
| Requirement coverage | How many of the 10 GDPR requirements above does it address? | High | High |
| Data mapping depth | Does it discover data automatically, or rely on manual inventories? | Medium | High |
| DSAR automation | End-to-end automation or just intake forms? | High | High |
| Multi-regulation support | Does it handle GDPR alongside CCPA, LGPD, UK GDPR, POPIA, etc.? | Low | High |
| Governance framework | Does it provide structure for policies, standards, and accountability? | Medium | High |
| Comprehension verification | Does your team understand GDPR obligations, or just sign a policy? | Medium | High |
| Integration ecosystem | Connects with your data stack, HR, cloud infrastructure? | High | High |
| Audit trail | Immutable logs for supervisory authority inquiries? | Medium | High |
| Scalability | Can it grow from 1 entity to 50 without an implementation project? | Low | High |
| Total cost of ownership | Licensing, implementation, ongoing configuration, training? | High | Medium |
The Questions Most Buyers Forget to Ask
Vendor demos are designed to show you the best feature. These questions expose the gaps:
-
"Show me a breach notification workflow that meets the 72-hour deadline." Many tools track breaches but lack the timed escalation workflow that Article 33 requires. The regulation does not care that your ticket was in the backlog.
-
"How do you handle a DSAR that spans three data processors and two jurisdictions?" Simple DSARs are easy. Cross-system, cross-border requests reveal whether the tool actually automates or just creates a tracking ticket for someone to handle manually.
-
"What happens to our data if we leave?" GDPR applies to your vendor relationship too. Ask about data portability, deletion confirmation, and post-termination processing agreements.
-
"Can you show us the governance statements behind your GDPR module?" If the answer is "we don't have governance statements," the tool is a workflow engine without a governance backbone. Workflows tell you how. Statements tell you what and why.
Why Consent Banners Are Not a Compliance Strategy
This point deserves its own section because the misconception is pervasive.
Cookie consent management is one obligation among many. A well-implemented consent banner addresses perhaps 10% of the GDPR's requirements. The other 90% — data mapping, subject rights, breach response, impact assessments, cross-border transfers, processor oversight, privacy by design — require governance infrastructure that no consent platform provides.
The analogy in information security is instructive: installing a firewall does not make you SOC 2 compliant. You need policies, access controls, monitoring, incident response, vendor management, and the governance framework that ties them together. The same principle applies to GDPR. A cookie banner is your firewall. Where is everything else?
Organizations that discover this gap usually discover it at the worst possible time — when a supervisory authority sends an inquiry, when a data subject exercises their rights, or when a breach occurs and the 72-hour clock starts ticking.
For a deeper look at how compliance automation relates to governance infrastructure, see our guide on compliance automation and governance tools.
Building a GDPR Governance Foundation
Effective GDPR compliance software should help you build a governance foundation — not just automate individual tasks. That foundation has three layers:
Layer 1: Governance Statements
Every GDPR obligation should be expressed as a discrete, testable governance statement. Not a 40-page privacy policy that no one reads, but atomic units of intent that can be owned, measured, and verified.
Examples of GDPR governance statements:
- "Personal data processing activities are documented in a Record of Processing Activities (RoPA) that is reviewed quarterly."
- "Data subject access requests are acknowledged within 48 hours and fulfilled within 30 days of receipt."
- "Data protection impact assessments are conducted before initiating any processing activity that presents a high risk to individuals' rights and freedoms."
Each statement has an owner, a maturity level, and a measurable compliance state. This is the statement-first governance approach — and it maps directly to how regulators think about compliance.
For practical guidance on getting started with this structure, the data governance framework guide walks through the foundational steps.
Layer 2: Data Classification and Mapping
You cannot protect personal data if you do not know where it lives. Data classification is the prerequisite for nearly every GDPR obligation — from consent management (knowing what data you process) to DSARs (knowing where to find it) to breach notification (knowing what was exposed).
Your GDPR compliance software should either provide data classification natively or integrate with tools that do. The data classification policy guide covers the governance foundation for this capability.
Layer 3: Operational Workflows
With governance statements defining what you intend to do, and data classification telling you what you need to protect, operational workflows handle the day-to-day execution:
- DSAR intake and fulfillment — identity verification, data retrieval across systems, response generation, deadline tracking
- Breach response — detection, assessment, 72-hour authority notification, affected individual communication
- Consent lifecycle — collection, storage, withdrawal, re-consent for new purposes
- DPIA execution — risk identification, mitigation planning, DPO consultation, documentation
- Vendor assessment — processor agreement management, sub-processor tracking, adequacy verification
The software should automate these workflows, but automation without governance is just faster paperwork. Building your compliance management program on a governance foundation ensures that automation serves strategy rather than replacing it.
The Real Cost of Getting GDPR Wrong
Fines get the headlines, but the operational costs of non-compliance are often more punishing:
| Cost Category | Impact |
|---|---|
| Regulatory fines | Up to 4% of global annual revenue or EUR 20 million (whichever is higher) |
| DSAR remediation | Manual DSAR fulfillment costs EUR 3,000-5,000 per request at scale |
| Breach response | Average data breach cost in the EU: EUR 4.3 million (IBM, 2025) |
| Contract delays | EU enterprise buyers require demonstrated GDPR compliance before procurement |
| Reputation damage | Public enforcement decisions are published by supervisory authorities |
| Operational disruption | Supervisory authority investigations consume 6-18 months of senior leadership attention |
The European Data Protection Board publishes enforcement guidelines and decisions that provide insight into what supervisory authorities prioritize. Two patterns emerge: organizations that cannot demonstrate governance structure (not just technical controls) face higher penalties, and those that cannot produce records of processing activities under Article 30 face the broadest investigative scrutiny.
Statement-Based GDPR Compliance
The traditional approach to GDPR compliance follows a familiar pattern: hire a consultant, produce a stack of documents, implement a few tools, and hope the auditor does not look too closely.
The statement-based approach inverts this. Instead of starting with documents, you start with discrete governance statements — each one mapping to a specific GDPR obligation, each one with a clear owner, maturity level, and verification mechanism.
Dictiva's governance library includes pre-written GDPR governance statements covering:
- Data protection principles — lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, accountability
- Individual rights — access, rectification, erasure, restriction, portability, objection, automated decision-making
- Organizational measures — DPO appointment, records of processing, DPIAs, breach notification, cross-border transfers
- Technical measures — encryption standards, pseudonymization, access controls, data retention automation
Each statement can be adopted as-is or customized to your organization's context. They map to GDPR articles, integrate with broader compliance management frameworks, and support maturity progression from foundational to advanced.
For organizations building a governance program from scratch, the statements guide explains the anatomy of a governance statement and how statements compose into a coherent compliance program.
Choosing the Right Tool for Your Organization
The right GDPR compliance software depends on where you are, not where the vendor wants you to be:
If you are just starting with GDPR compliance: Begin with governance statements that define your obligations, then add tooling for the operational workflows (DSARs, consent, breach response). Starting with tools before governance is building a house on sand.
If you have consent management but nothing else: You have addressed the most visible requirement but likely the least risky one. Prioritize data mapping and DSAR automation next — those are where supervisory authority inquiries focus.
If you have a mature privacy program: Look for tools that provide governance structure, comprehension verification, and maturity measurement. You have the workflows; what you need is assurance that your team understands and follows them.
If you operate across multiple regulations: GDPR is rarely the only regulation that applies. A platform that maps governance statements to multiple frameworks — GDPR, CCPA, UK GDPR, LGPD, and emerging AI governance requirements — eliminates the redundancy of managing each regulation in isolation.
Getting Started
GDPR compliance is not a product you buy. It is a governance capability you build — with software supporting the structure, not replacing it.
Start by understanding your obligations. Define governance statements for each one. Classify your data. Then choose software that automates the operational workflows on top of that governance foundation.
Dictiva offers a free tier with access to GDPR governance statements, data protection domain coverage, and the governance structure to build on. Explore the governance library to see how statement-based compliance works in practice, or review pricing plans to find the right starting point for your organization.
The GDPR is not going away. Your approach to it should be built to last longer than a cookie banner.